Security Incidents mailing list archives

Re: New Linux Trojan

From: Russell Fulton <r.fulton () auckland ac nz>
Date: Thu, 6 Sep 2001 09:26:01 +1200 (NZST)


On Wed, 05 Sep 2001 13:57:12 -0700 Ben Ford 
<bford () securityexchange net> wrote:

Qualys Inc wrote:


executable programs. On Linux systems, the Remote Shell Trojan 
typically begins its replication activities in the current working 
directory and in the /bin directory.

[ . . .]

Mitigating Factors:
-------------------
The replication process of the Remote Shell Program can only effect 
binary files within the access privileges of the user who launched 
the originally infected program.


I think that this point should be emphasized a bit more, unless you are 
simply out for dramatization.  A properly configured machine won't have 
the root user running untrusted binaries.


True, however a local (non root) user compromise is still a serious 
matter.   This is another good reason to write protect *all* 
executables, and preferably have them owned by someone other that the 
user.

Again Unix is protected because users can't write to most executable 
files.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

New Linux Trojan Qualys Inc (Sep 05)
- Re: New Linux Trojan Ben Ford (Sep 05)
  - Re: New Linux Trojan Russell Fulton (Sep 05)
    - Re: New Linux Trojan Jason Robertson (Sep 05)
  - Re: New Linux Trojan Gary Flynn (Sep 06)
- Re: New Linux Trojan Nick FitzGerald (Sep 09)
- <Possible follow-ups>
- RE: New Linux Trojan Vidovic,Zvonimir,VEVEY,GL-IS/CIS (Sep 06)
- Re: New Linux Trojan Brett Glass (Sep 06)